Secret-Sharing for NP

• Published in: Journal of cryptology Vol. 30; no. 2; pp. 444 - 469
• Main Authors: Komargodski, Ilan, Naor, Moni, Yogev, Eylon
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.04.2017; Springer Nature B.V
• Subjects: Boolean algebra; Boolean functions; Coding and Information Theory; Combinatorics; Communications Engineering; Computation; Computational Mathematics and Numerical Analysis; Computer Science; Cryptography; Encryption; Functions (mathematics); Mathematical analysis; Monotone functions; Networks; Probability Theory and Stochastic Processes; Set theory; Obfuscation; Secret-sharing; Witness encryption
• ISSN: 0933-2790; 1432-1378
• DOI: 10.1007/s00145-015-9226-0

A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of parties such that a “qualified” subset of parties can efficiently reconstruct the secret while any “unqualified” subset of parties cannot efficiently learn anything about the secret. The collection of “qualified” subsets is defined by a monotone Boolean function. It has been a major open problem to understand which (monotone) functions can be realized by a computational secret-sharing scheme. Yao suggested a method for secret-sharing for any function that has a polynomial-size monotone circuit (a class which is strictly smaller than the class of monotone functions in P ). Around 1990 Rudich raised the possibility of obtaining secret-sharing for all monotone functions in NP : in order to reconstruct the secret a set of parties must be “qualified” and provide a witness attesting to this fact. Recently, Garg et al. (Symposium on theory of computing conference, STOC, pp 467–476, 2013 ) put forward the concept of witness encryption, where the goal is to encrypt a message relative to a statement x ∈ L for a language L ∈ NP such that anyone holding a witness to the statement can decrypt the message; however, if x ∉ L , then it is computationally hard to decrypt. Garg et al. showed how to construct several cryptographic primitives from witness encryption and gave a candidate construction. One can show that computational secret-sharing implies witness encryption for the same language. Our main result is the converse: we give a construction of a computational secret-sharing scheme for any monotone function in NP assuming witness encryption for NP and one-way functions. As a consequence we get a completeness theorem for secret-sharing: computational secret-sharing scheme for any single monotone NP -complete function implies a computational secret-sharing scheme for every monotone function in NP .